PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

Similar documents
Zendesk Connector. Version 2.0. User Guide

Quick Connection Guide

Dropbox Connector. Version 2.0. User Guide

Slack Connector. Version 2.0. User Guide

WebEx Connector. Version 2.0. User Guide

Quick Connection Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Quick Connection Guide

Box Connector. Version 2.0. User Guide

Configuring Confluence

Quick Connection Guide

SSO Integration Overview

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Version 7.x. Quick-Start Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

CoreBlox Integration Kit. Version 2.2. User Guide

Add OKTA as an Identity Provider in EAA

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

RSA SecurID Access SAML Configuration for Datadog

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Cloud Secure Integration with ADFS. Deployment Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

OneLogin Integration User Guide

CoreBlox Token Translator. Version 1.0. User Guide

McAfee Cloud Identity Manager

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Single Sign-On Administrator Guide

Configure Unsanctioned Device Access Control

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Single Sign-On Administrator Guide

April Understanding Federated Single Sign-On (SSO) Process

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Five9 Plus Adapter for Agent Desktop Toolkit

Configuring Single Sign-on from the VMware Identity Manager Service to Bonusly

RSA SecurID Access SAML Configuration for StatusPage

Colligo Console. Administrator Guide

WebSphere Integration Kit. Version User Guide

Technical Documentation. Configuring Google SSO with Amazon AppStream 2.0 and Amazon AppStream 2.0 Chrome Packaging and Deployment

All about SAML End-to-end Tableau and OKTA integration

D9.2.2 AD FS via SAML2

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

RSA SecurID Access SAML Configuration for Kanban Tool

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

MyWorkDrive SAML v2.0 Okta Integration Guide

OAM Integration Kit. Version 3.0. User Guide

Access Manager Applications Configuration Guide. October 2016

Salesforce External Identity Implementation Guide

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

RSA SecurID Access SAML Configuration for Samanage

Five9 Plus Adapter for Microsoft Dynamics CRM

Salesforce External Identity Implementation Guide

ServiceNow Deployment Guide

Configuration Guide - Single-Sign On for OneDesk

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Google Auto User Provisioning

SAML Single Sign On Integration

Introduction to application management

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

McAfee Cloud Identity Manager

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Google SAML Integration with ETV

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

SafeNet Authentication Manager

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Office 365 Connector 2.1

Webthority can provide single sign-on to web applications using one of the following authentication methods:

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

McAfee Cloud Identity Manager

SAML-Based SSO Solution

Salesforce External Identity Implementation Guide

McAfee Cloud Identity Manager

SAML-Based SSO Solution

This guide covers the installation, setup, and configuration of Sertifi for Salesforce CPQ.

AvePoint Online Services for Partners 2

Welcome to the Investor Experience

Cloud Access Manager Configuration Guide

VMware Identity Manager Administration

Integrating YuJa Active Learning into Google Apps via SAML

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Quick Start Guide for SAML SSO Access

Single Sign-On for PCF. User's Guide

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

User Guide. Version R94. English

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

AT&T Business Messaging Account Management

Transcription:

PingOne Quick Start Guides How to Set Up a PingFederate Connection to the PingOne Dock Version 1.1 December 2014 Created by: Ping Identity Support

Disclaimer This document is proprietary and not for general publication. It may be provided ad hoc for informational purposes only, and the information herein is subject to change without notice. Ping Identity does not provide any warranties and specifically disclaims any liability in connection with this document. Note that Ping Identity may not provide support for any sample configurations provided in this document. The variability inherent among security environments prevents full testing and support for all possible platform configurations. If you need special assistance or would like to inquire about implementation or support programs, please contact Ping Identity Global Client Services (support.pingidentity.com). Contact Information Ping Identity Corporation 1001 17th Street Suite 100 Denver, CO 80202 U.S.A. Direct: 303.468.2900 Sales: 877.898.2905 Fax: 303.468.2909 E- - - mail: info@pingidentity.com Web Site: http://www.pingidentity.com 2014 Ping Identity Corporation. All rights reserved. Page 2

Contents Disclaimer... 2 Contact Information... 2 Introduction... 4 1. Setting up the PingOne Dock on PingOne... 4 1.1. Beginning Identity Bridge Setup... 4 1.2. Creating the PingFederate Connection to PingOne... 8 1.3. Exporting PingFederate Metadata... 11 1.4. Completing Identity Bridge Setup... 13 1.5. Testing the PingOne Dock Access... 18 2. Adding Applications to the PingOne Dock & Managing User Access... 19 2.1. Add an existing SSO URL or Non- - SSO URL to the PingOne Dock... 19 2.2. Managing User Groups... 21 2.3. Adding an Application from the Application Catalog... 22 2.4. Manually Adding a New SAML Application... 26 2.5. Manually Adding a Basic SSO Application... 31 Page 3

Introduction This guide is intended to help PingFederate administrators set up the PingOne Dock (formerly called CloudDesktop). It walks an administrator though how to set up the SAML connection to PingOne and configure the PingOne Dock. 1. Setting up the PingOne Dock on PingOne This guide assumes you have registered a PingOne Employee SSO account at the PingOne registration page here: https://admin.pingone.com/web-portal/register/ For more information on PingOne in general, refer to the online documentation found here: http://documentation.pingidentity.com/pingone/employeessoadminguide/#admin Overview.html 1.1. Beginning Identity Bridge Setup a. After completing registration you will see your PingOne Dashboard. Click on Setup in the top right of the menu bar to begin. Page 4

b. PingOne supports a number of Identity Bridges. Choose Ping Federate (SAML) and click on Setup to continue. Page 5

c. Click on Download Metadata File located on the right half of the page. This will allow you to save the PingOne Metadata File to a system that has browser access to your PingFederate server. You ll need this file to set up a connection within PingFederate, momentarily. After downloading the file click on Continue to Next Step. Note that your PingOne Metadata file will be different depending on whether Enable an account-specific Entity ID is selected. If you intend to use this identity bridge for more than one PingOne account, select Enable an account-specific Entity ID. See Connections to Multiple PingOne Accounts for more information. The result is a unique EntityID and the metadata file will be dynamically updated to reflect this: Page 6

By default, this is unchecked and the default EntityID is PingConnect. Page 7

1.2. Creating the PingFederate Connection to PingOne Access your PingFederate instance and import the PingOne Metadata file you downloaded. You will either need to create a new IDP Authentication Adapter or utilize an existing one for this connection. The PingFederate connection wizard will walk you through this process. Detailed in this section you will find example summaries of a PingFederate connection configuration. You can use these as a guide to understand what are the most important variables and settings to have configured for creating the connection to PingOne. - - - SP Connection Verify that the Entity ID and Base URL match what is shown in the screenshot. This information would have been automatically added if you used the PingOne Metadata file to create the connection. Page 8

- - - Browser SSO At a minimum, both IdP-Initiated SSO and SP-Initiated SSO should be set to true. PingOne also supports SLO, so these options can be enabled in PingFederate if the feature is available with the Service Providers. Page 9

- - - Assertion Creation PingOne requires the attributes SAML_SUBECT and memberof in the SAML Assertion it receives from PingFederate. SAML_SUBJECT identifies the user, while the memberof attribute allows administrators to control what applications are viewed in the PingOne Dock by particular AD Groups. Application access is configured in the User Groups area of the admin portal, which is covered in section 2.2 Managing User Groups. *Note: The attributes fname and lname are both optional, but if added they are used to personalize a user's PingOne Dock page by displaying their full name in the top right hand corner. Page 10

- - - Attribute Sources & User Lookup The important sections are highlighted. In this example the values represented are from Active Directory. Page 10

- - - Protocol Settings Verify that the Assertion Consumer Service URL matches what is shown in the screenshot below. For reference, this is appended to the base URL defined in the SP Connection section above. 1.3. Exporting PingFederate Metadata a. Export the metadata for the new PingOne connection you created by clicking on Manage All SP under SP Connections located on the PingFederate Main Menu page. Page 11

b. Click on Export Metadata next to the Connection you plan to use with PingOne. c. Do not select a Signing Certificate. Leave this field empty (default) and click on Next. Page 12

d. Confirm that the Signing Certificate says None, then click on Export and save the metadata.xml file to the local system. 1.4. Completing Identity Bridge Setup a. Upload the PingFederate Metadata File to PingOne by clicking on Choose File and selecting the metadata.xml file you exported from your PingFederate server. Click on Save to upload the file. Page 13

If the upload was successful you will see the following message: Page 14

b. Next, go to Setup -> Dock Configuration, check off Show Advanced Settings and click Edit. In this section, you can change your PingOne Dock Company ID. The name is automatically appended to the PingOne Dock URL (the URL you will use to access The PingOne Dock). *Note: Your PingOne Dock URL is always visible on your PingOne Dashboard, which is the first page you see after logging in to the PingOne admin portal or can be seen by clicking on Dashboard at the top. Page 15

Page 16

*Note: For additional guidance on PingOne Dock customization options, please refer to the following section in the online docs: http://documentation.pingidentity.com/pingone/employeessoadminguide/#configcloudde sktopsettings.html c. Further down the page you can also adjust the AP Attributes used by the PingOne Dock. The values should match what you configured in your Attribute Contract configuration in PingFederate. When ready to continue click on Update to save your setting and then click on Finish to complete setup. The PingOne Dock is now configured and ready for SSO. Page 17

1.5. Testing the PingOne Dock Access *Important Note: SSO users must be a member of at least one additional group other than Domain Users. a. Copy the the PingOne Dock URL from the Dashboard, open a new browser page and navigate to the URL. b. After being challenged by your IdP adapter and successfully authenticating, users will be taken to a personalized PingOne Dock. After closing the welcome message, they will see an empty desktop since no applications have yet been configured. Page 18

2. Adding Applications to the PingOne Dock & Managing User Access 2.1. Add an existing SSO URL or Non- - - SSO URL to the PingOne Dock a. From the My Application tab click on Add Application and select New SAML Application. b. Input the relevant Application Details, Application Name and Application Description are required fields. When ready click on Continue to Next Step. *Important Note: PNG is the only accepted image format. Page 19

c. Click on I have the SSO URL. You can enter an SSO URL you already use from PingFederate or alternatively you enter a non-sso URL such as a link to an intranet site that does or does not require additional user authentication. When ready, click on Save & Publish to continue. d. Here you can review and confirm that the SSO URL is correct (a clickable link is provided for testing). The Application can still be accessed directly just as it was before setting up PingOne, but will now also be available as a clickable icon in the PingOne Dock. When ready, click on Finish to complete the setup. *Important Note: Since the PingOne Dock is designed to provide an online web portal for users to seamlessly access SaaS Applications without entering a password, it is important to make your users aware of any non-sso Applications or URL links where they will be asked to enter credentials. Page 20

2.2. Managing User Groups Administrators can control what applications are displayed to users based on their Group Membership. Groups are pulled into PingOne when users log in to the PingOne Dock. a. To see or create User Groups, click on the Users tab at the top of the page. b. Since you have already logged in when testing the PingOne Dock Access in step 1.5., you should see some user groups listed here. Click the Edit button next to a group you wish to manage. c. Click the checkboxes next to the application you wish the members of this group to be able to see and use. When finished, click on Save. Page 21

2.3. Adding an Application from the Application Catalog a. Click on the Application Catalog tab (at the top of the page). Page 20

b. In the search field start to type the name of the Application you wish to configure. When you see it in the search results click on Details to show information about the app. Click on Setup to begin configuration. c. You are presented with some SSO information about the Application, as well as shown a set of instructions to follow. Below is an example of the SSO Instructions required to configure SalesForce, we will use this Application as an example and walk through the steps to configure it in PingOne. The instructions first tell us how to configure SSO in SalesForce. Once this is complete, you would click on Continue to Next Step. Page 21

Page 22

2.0 d. In the next step, you can configure the ACS URL and Entity ID. The fields are populated automatically, but with some applications, the instructions will tell you to modify these values to conform to the Service Provider s requirements. In this example, Salesforce uses the same values for all customers, so nothing needs to be changed. When ready, you would click Continue to Next Step. e. In this step, you will need to map the AP Attribute Name to the relevant IDP Attribute Name as required by the Application. Since SalesForce requires a user s email address as the SAML_SUBJECT, and we are using Active Directory, we enter mail which is the common Active Directory Attribute for the user s email address. *Important Note: Since some Applications may require the mapping of additional Attribute values (like email address in the above example) you may need to extend the Attribute Contract in PingFederate to include this..click on Continue to Next Step Page 23

Here, you can custom brand the logo and application info. For example, if you have an internal naming reference for the Application. When ready, you would click on Save & Publish Page 24

f. In the final step, you are able to review the configuration. This is a summary of important information that may be required by the Service Provider to complete the setup of SSO for their Application. Links are provided again at the bottom to download the PingOne signing certificate as well as the PingOne Metadata, which has the certificate embedded. You are also given the SSO URL for the application, including a clickable link for testing. This can be used to SSO directly to the Application without going through the PingOne Dock. Click on Finish to complete the setup. Page 25

g. Back at the My Application tab, you will see your newly added Application. Clicking on Initiate Single Sign-On (SSO) URL allows you to test the Applications SSO URL. 2.4. Manually Adding a New SAML Application *Important Note: This feature is used for adding internal SAML enabled Applications. If you wish to configure an Application from an external Service Provider and cannot find it in the Application Catalog, please fill out this request form at https://www.pingidentity.com/en/products/pingone/request-a-saas.html to have it added for you. a. From the My Application tab click on Add Application and select New SAML Application. Page 26

Page 27

b. Input the relevant Application Details, Application Name and Application Description are required fields. When ready, click on Continue to Next Step. *Important Note: PNG is the only accepted image format. Page 28

c. Next, you will need to input the SAML configuration details for your Application. You can either upload the Application s Metadata file or manually enter the ACS URL, the Entity ID, and upload the Verification Certificate which are all required. A Download link for the PingOne Metadata is provided for configuring the connection on the Application side. When ready, click on Continue to Next Step. Page 29

d. Here, you will need to configure SSO Attribute Mapping. Click on Add new attribute to create new values as required by your application. When ready, click on Save & Publish. Page 30

e. In the final step, you are able to review the configuration. This is a summary of important information that may be required by the Service Provider to complete the setup of SSO for the Application. Links are provided again at the bottom to download the PingOne signing certificate, as well as the PingOne Metadata, which has the certificate embedded. You are also given the SSO URL for the application, including a clickable link for testing. This can be used to SSO directly to the Application without going through the PingOne Dock. Click on Finish to complete the setup. 2.5. Manually Adding a Basic SSO Application *Important Note: This feature is used for adding internal Basic SSO Applications. If you wish to configure an Application from an external Service Provider and cannot find it in the Application Catalog, please fill out the request form at https://www.pingidentity.com/en/products/pingone/request-a-saas.html to have it added for you. Page 31

a) From the My Application tab click on Add Application and select New Basic SSO Application. b) Follow the instructions outlined in the online documentation: http://documentation.pingidentity.com/pingone/employeessoadminguide/ - enablebasicssoapp.html Page 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback